What is Risk-Based Quality Management (RBQM)?
We thought we were in control…until we weren’t!
That’s the feeling many teams face when clinical trials don’t go as planned. Whether it’s a GCP inspection uncovering issues they thought were covered, unexpected delays, resource-heavy fire drills, unmitigated risks turning into issues, or quality gaps that only become visible when timelines slip.
The outcome is the same: reacting instead of anticipating.
The truth? The signs were there. We were just looking in the wrong places.
This is exactly why Risk-Based Quality Management (RBQM) matters, and why it’s not just another regulatory buzzword.
It’s a call to shift from reactive firefighting to proactive foresight.
What is Risk-Based Quality Management (RBQM)?
RBQM is the term commonly used in the pharmaceutical industry to describe the management of quality throughout the trial lifecycle, with a focus on the areas that are critical to that quality.
And what is “quality” in this context? As defined in ICH E6(R3), quality in clinical trials means ensuring:
- Human subject protection (safety, rights, and well-being of trial participants)
- Reliability of trial results
These are, in fact, the pillars of GCP.
But RBQM is not New!
It didn’t arrive with ICH E6(R3). In fact, the term has been around for over a decade.
The EMA Reflection Paper on Risk-Based Quality Management (2013) clearly stated:
Since perfection in every aspect of an activity is rarely achievable or can only be achieved by disproportionate allocation of resources, it is necessary to establish a risk-based quality management system. The ultimate principles are reliability of the trial results and the well-being and safety of trial subjects.
This approach emphasizes identifying trial priorities, mitigating significant and serious risks, and setting acceptable ranges within which different processes can operate.
Then came ICH E6(R2) in 2016, which introduced RBQM formally, not as a recommendation, but as a requirement.
How does RBQM work in practice?
RBQM is built on a systematic, continuous process that identifies, assesses, controls, communicates, and reviews risks throughout the clinical trial lifecycle. It also opens the door to rethink traditional practices, introducing proportionate, beneficial adaptations in how we manage, monitor, and conduct our studies.
This starts as early as protocol design, so that mitigation strategies can be embedded in the protocol and related documents.
Let’s take a look at the RBQM framework in action. The diagram below captures the structured flow of how risk-based quality is designed, implemented, and continuously reviewed across a trial’s lifecycle.
At the heart of the model lies the risk assessment process, beginning with the context:
- What matters most?
- What lessons have we already learned?
- Where is the trial most vulnerable?
From there, we identify Critical to Quality Factors (CTQFs) and potential hazards, evaluate the risks they pose, and define control strategies that can be adapted during the trial.
This framework is not static. Communication, monitoring, and review are ongoing, ensuring that quality is managed where it matters most.
The output of this entire process?
Clear, traceable Risk Reporting, supported by specialized RBQM software and feeding into the Final Study Report or CSR. Evidence that oversight was focused, intentional, and aligned with GCP.
Key Concept: What is Risk?
According to ICH Q9, Risk is:
The combination of the probability of occurrence of harm and the severity of that harm.
Notice: detectability is not included in the formal definition, but it’s still crucial in evaluating risk practically.
Risk Assessment vs. Risk Management
Let’s clarify two key terms, often confused:
Risk Management (ICH Q9)
A systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk.
Risk Assessment (ICH Q9)
A subprocess within risk management, involving a structured way to gather and organize information to support risk-related decisions. It includes:
- Identifying hazards
- Analyzing and evaluating the associated risks
What questions does Risk Assessment try to answer?
These are universal questions asked in all high-risk industries:
- What can go wrong? (Risk)
- How often does/will it happen? (Probability of occurrence)
- How bad are the consequences? (Severity)
- If it happened, how would we know? (Likelihood of detection)
- Is the risk acceptable? (Risk evaluation & remediation)
Key Terminology to Align On
Before we go deeper into applying risk-based principles, it’s important that we’re all speaking the same language.
RBQM involves concepts that may sound familiar but have very specific meanings in a clinical trial context.
Below is a visual summary of the key terms you’ll need to navigate risk assessment and management confidently.
Why this series, and what comes next?
In our previous issues, we highlighted the importance of RBQM. But understanding its value is not enough.
Now, we begin breaking down the HOW step by step.
In the coming newsletters, we’ll:
- Dive into each element of the RBQM framework.
- Offer practical guidance.
- Share insights rooted in real-world experience.
Until then, reflect on this:
Are you managing risk… or simply hoping to avoid it?
Our mission?
To help you shift the mindset from reactive and checklist-driven, to proactive and risk-based.
—–
WiseCLIN is our purpose-built RBQM software designed to help sponsors implement risk based quality management in a structured, traceable, and inspection-ready way. Aligned with the principles of ICH E6(R3), WiseCLIN supports proactive RBQM by connecting risk identification, evaluation, mitigation, review, and oversight in one practical workflow.
Contact us here to learn more or request a demo.
Thank You,
Dr. Leire Zuñiga – PharmD PhD
Co-Founder and CQO, Qlarix | Founder and Managing Director, Pharmity | Risk-Based Quality Management (RBQM) Expert.
20+ years experience in Pharma, Biotech, CROs. Skilled in Quality Management, Good Clinical Practice and Computerised System Validation.
